In a recent judgment,1 the French-speaking section of the Brussels Labour Court confirmed that a Data Protection Officer (DPO) may not be penalised or dismissed for reasons related to his/her function as a DPO, based on Article 38, §3 of the GDPR. The court ruled that the employer had violated this provision as it had failed to prove that the employment contract's termination was not linked to the employee's DPO role.
Although neither the GDPR nor Belgian legislation provide for a specific protection indemnity for a DPO dismissed for reasons linked to his/her duties, the court decided to grant, as the employee had requested, an indemnity equal to 3 months' salary.
A DPO must be able to execute his/her role completely independently
A DPO is an expert responsible for ensuring a company's compliance with the GDPR and the safeguarding of personal data. This role requires a degree of independence, which might sometimes mean conflict with the employer's interests and raises questions about the DPO's protection in the event of a dismissal.
In the case presented to the Brussels Labour Court, the employee combined the DPO role with the role of Chief Information Security Officer (CISO).
The employee was dismissed with payment of the normal indemnity in lieu of notice (here, 13 weeks' salary).
Arguing that his dismissal was directly linked to his DPO role, the employee brought proceedings before the French-speaking section of the Brussels Labour Court, claiming two separate indemnities, namely (i) a protection indemnity evaluated ex aequo et bono ('from equity and conscience') at three months' salary for the dismissal of a protected worker, and (ii) an indemnity equal to 17 weeks' salary for manifestly unreasonable dismissal.
The employer contested these claims, asserting that the dismissal was based on professional shortcomings unrelated to the DPO's duties.
A DPO's protection under the GDPR and European case law
The GDPR, and in particular its Article 38, §3 stipulates that a DPO may not be dismissed or penalised for reasons related to the performance of his/her DPO duties. The objective is to safeguard the DPO's independence vis-à-vis the employer.
Moreover, the Court of Justice of the European Union (CJEU) in its Leistritz ruling2 further clarified that a DPO's protection against dismissal means he or she may not be removed or penalised for reasons linked to their role, but may be dismissed for serious misconduct or another legitimate reason unrelated to their duties.
Applying both Article 38, §3 GDPR and this case law, the Brussels Labour Court held that the employer had to prove that the dismissal was based solely on reasons unrelated to the employee's DPO function. However, in the court's opinion, the employee's roles as DPO and CISO were intertwined and the grievances raised by the employer concerned both roles, without a clear distinction. Therefore, in the absence of sufficient justification, the court concluded that the dismissal violated Article 38, §3 of the GDPR.
A protection indemnity determined ex aequo et bono
Although neither the GDPR nor Belgian law provide for a specific indemnity in cases of a DPO's wrongful dismissal, the Brussels Labour Court decided to award a protection indemnity, which was evaluated ex aequo et bono at three months' salary.
However, the court explicitly indicated that it granted an indemnity equal to three months' salary as it is bound by the legal requests made by the parties and here the employee had claimed a protection indemnity of "only" three months' salary.
It cannot be excluded and is even likely that the court would have granted a higher indemnity if the employee had requested that, since the court explicitly referred to other existing protection regimes under Belgian law, notably those applying to victims of harassment, discrimination, and to trade union representatives or prevention advisors, who are entitled to higher protection indemnities for wrongful dismissal.
Conversely, the claim for manifestly unreasonable dismissal was dismissed. The court considered that, although the employer had not proved that the dismissal was entirely unrelated to the employee's function as a DPO, the grievances raised against the employee were based on objective elements concerning the employee's behaviour and skills.
A legislative omission
The absence of a legal provision on a protection indemnity creates uncertainty for employers, who must rely on judicial interpretation in the absence of clear rules.
However, it remains to be seen if and how the Belgian legislator will react to this ruling, especially as it was announced in the new Belgian government's coalition agreement that the government intends to reduce the number of dismissal protections under Belgian law.
Footnotes
1 Labour Court of Brussels, French-speaking section, 17 May 2024, role number 23/853/A.
2 CJEU, 22 June 2022, C-534/20.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
